[wp-hackers] Simple comment spam experiment

Matt Mullenweg m at mullenweg.com
Wed Apr 16 15:25:32 GMT 2008 

Otto wrote:
> Conclusion:
> Spammers, for the most part, are not loading the comments form and using it.
> They're merely hitting a list of sites and the wp-comments-post.php file
> directly. Renaming this file and adjusting accordingly has much the same
> effect as using a hidden field, of course.

My conclusion from this is:

Because you do something that almost no one else does, and your site is 
not a large enough target, spammers have not yet done the trivial 
workaround it would require to get past this. If it was put into core, 
they most certainly would.

So, continue to do this if it helps, just don't tell anyone. ;)

 From 2002:

http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions

"The really interesting thing about these approaches, from a game theory 
perspective, is that they are all Club solutions, not Lojack solutions. 
There are two basic approaches to protecting your car from theft: The 
Club (or The Shield, or a car alarm, or something similiar), and Lojack. 
The Club isn’t much protection against a thief who is determined to 
steal your car (it’s easy enough to drill the lock, or just cut the 
steering wheel and slide The Club off). But it is effective protection 
against a thief who wants to steal a car (not necessarily your car), 
because thieves are generally in a hurry and will go for the easiest 
target, the low-hanging fruit. The Club works as long as not everyone 
has it, since if everyone had it, thieves would have an equally 
difficult time stealing any car, their choice will be based on other 
factors, and your car is back to being as vulnerable as anyone else’s. 
The Club doesn’t deter theft, it only deflects it.

"Similarly, installing a secret form field on your comment form will 
stop spammers from spamming your comments, until enough people do that 
that it’s worth the spammer’s time to upgrade their scripts. Ditto 
referer hacks (just set the referer); ditto registration schemes (just 
auto-register); ditto time limits (just hit each weblog sequentially). 
Ditto ditto ditto."

-- 
Matt Mullenweg
http://ma.tt | http://automattic.com

More information about the wp-hackers mailing list